Share this

Read more!

Get our weekly email

Enter your email address

Care.data has had a bad seven days. Last Tuesday it received a
serious mauling by the Commons Health Committee. On Friday, Health Secretary
Jeremy Hunt came sailing to the rescue with an announcement of
new laws that will bar the NHS from selling personal medical records for insurance
and commercial purposes - though care.data boss Tim Kelsey had told us it was
already “a criminal offense”.

Will this be enough to save the once proud flagship of this Government’s
shiny new NHS? Or is it too late for patch and mend?

Today,
another blow - Tory MP Sarah Wollaston questions how the entire hospital
patients database had been uploaded to Google Servers, allowing PA Consulting
to create “interactive maps” of the data. Phil Booth of
medConfidential, which campaigns on medical privacy, said every day another
instance of "whole population level data being sold emerges which had been
previously denied".

Perhaps the real issue is that once the public woke up to what care.data
was all about, it was always going to be a difficult sell. Care.data’s survival
has not been helped by a perfect storm of political ineptitude and managerial
arrogance.

Before 2013 an established framework existed for processing patient
data. Section
251 of the NHS Act 2006 set out precisely what data might be processed, and
carried significant sanctions and fines for breaching patient
confidentiality. Data protection law imposed its own significant criminal
sanctions where section 251 has been breached. And Human Rights legislation,
imposing serious privacy obligations on public bodies, created a triple lock on
patient confidentiality.

This basic structure was complicated by the Health and Social Care Act,
which took full effect in April 2013. Whereas previous legislation enabled
primary care trusts to use data for planning purposes, key data handling
responsibilities were not passed on to the new commissioning groups. They still have planning to do, but - according to eHealth Insider - no legal cover for the data
processing they need to carry out to achieve it.

Instead, Section 254 of the Act established that the NHS’s new data
centre, the Health and Social Care Information Centre, may collect patient data
and pass it on to others where the Secretary of
State “otherwise considers it to be in the interests of the health service in
England or of the recipients or providers of adult social care in England”.

So almost all data handling must now pass through HSCIC which, before
the ink was dry on the new structure, was talking up care.data – a major new
initiative that took data sharing to lengths unimagined in previous
legislation.

On Tuesday in the House of Common Health Minister Dan Poulter assured us
that the latest legislation put in place unprecedented safeguards around
patient data.

This is true only in the sense that a law enabling a new 200mph car on
UK roads and limiting it to 70mph provides unprecedented
safeguards. There would be no need of such safeguards
if government and NHS had stuck with the status quo.

The HSCA 2012 is one of those monstrous modern pieces of legislation
that reads more like a computer spec than law. It sets out what various
government bodies MAY do. It has clauses about quality indicators and
information standards and registers and, bizarrely, issues such as who may be
allowed to propose a quality indicator.

What it does not have is any re-statement of legal penalties for those
who mis-use the data.

This might be less of an issue if there had not been a simultaneous loss
of trust over both our privacy rights, and waves of NHS ‘reform’ and management
double-speak.

Addressing the committee, Tim Kelsey, NHS England IT Director blamed a “confused
media environment”. He argued that all that was needed to put matters right was
better, more intense communication. He had, he assured us, been a firm believer
for years in the principle that “patients own their own data” – though that
sits uneasily against his own assertion,
four short years ago, that “no one who uses a public service should be allowed
to opt out of sharing their records”.

Care.data boss Kelsey - who founded private health data company Dr
Foster a few years back - has delivered a series of defences which haven’t
quite convinced.

He claimed that the care.data information leaflet was delivered to every
household when, demonstrably, it hadn’t. On Radio 4, on 19 February, Kelsey was
emphatic in re-assuring listeners that data sharing with insurers was
‘criminal’ – even though a week previously the HSCIC team had quietly
downgraded its website notice on the status of such activity from ‘illegal’
(which is not necessarily criminal) to
merely ‘prohibited’.

All this became less than academic with the latest wave of revelations
that revealed earlier sets of patient records HAD been released to insurers,
albeit under the auspices of the previous legal regime.

The inept communication makes it so much easier to dismiss as bluster
the assertion, also by Kelsey, that if care.data suffers 90% opt out it would
be “all over for the NHS”.

This tendency to play word games may win debating points, but it is
losing the bigger game of public confidence. The trust gap matters.

For government has implemented a radical change in the laws governing
patient data. It needs unprecedented safeguards, because it is taking an
unprecedented step. Putting additional legal safeguards in place will help: but
if the public – and patients – continue to distrust those administering the new
system, it will make no difference. Is care.data doomed to sink ignominiously
beneath the waves of public distrust?

It’s perhaps unfair to pick solely on Kelsey - the government also seems
to suffer from an impulse towards word games.

Daniel Poulter MP claimed on Tuesday that data sharing would only be
allowed where that would is in the interests of both “recipients AND providers” - in other words, both
patients and health organisations, public and private.

But Poulter was wrong. As he previously read correctly from the Act, the
test is what benefits “recipients OR providers”.

It’s a small difference but one which, critics fear, could allow a world
of data exploitation.

Besides, as the Department of Health team gloss over, “benefit”, in the current law, is
whatever the Health Secretary defines it to be.

Safeguards? Or just more words that mean whatever NHS senior bosses want them to mean? We shall see.